Git Commit Signing: Code we can trust?

Git Commit Signing: Code we can trust?

When we install software on our computers we have to trust the package maintainers that it's secure.

If someone slips a hack into homebrew all of our machines could become vulnerable.

But what about our own code? * When we deploy to production, how do we know we can trust it? * What if someone pushes a hack to our github? * Will CI still push it to production?

It turns out Git has a cool feature that can help us trust the code we deploy. We'll discuss Git Commit Signing, how it can help us, and what downsides it may have.

Talk given at the London Ruby User Group (LRUG) at Skillmatter in London on Monday 12th February 2018

E60b2dc57668b5662ce3f07781e41710?s=128

Matthew Rudy Jacobs

February 12, 2018
Tweet

Transcript

  1. git commit signing code you can trust? Matthew Rudy Jacobs

    @ LRUG Monday 12th February 2018
  2. @MATTHEWRUDY

  3. SOURCES

  4. SECURING DEVOPS

  5. HTTPS://MIKEGERWITZ.COM/PAPERS/GIT-HORROR-STORY

  6. WHAT'S THE PROBLEM?

  7. WHO WROTE THIS?

  8. MORE DANGEROUSLY

  9. SOMEWHERE IN THE MIDDLE!

  10. THIS WAS REAL

  11. WOULDN'T THIS BE BETTER? UNVERIFIED

  12. GIT COMMIT SIGNING

  13. WHAT IS IT?

  14. GIT 1.7.9 (JANUARY 2012)

  15. You've probably seen it

  16. You've probably seen it

  17. IT'S JUST PGP

  18. AND IT COMES BUILT INTO GIT

  19. YOU CAN SIGN COMMITS

  20. YOU CAN SIGN TAGS

  21. IT MOSTLY JUST WORKS

  22. HOW TO INSTALL

  23. • brew install gpg • gpg --full-generate-key • git config

    --global user.signingKey MYKEYID • git config --global commit.gpgsign true
  24. HTTPS://HELP.GITHUB.COM/ARTICLES/ SIGNING-COMMITS-WITH-GPG/

  25. HTTPS://KEYBASE.IO/MATTHEWRUDY

  26. VERIFY YOUR CODE

  27. VIEW THE SIGNATURES

  28. GIT VERIFY-COMMIT Unsigned Unverified Verified

  29. STICK IT ON YOUR CI

  30. EXAMPLE FAILURE

  31. CAVEATS

  32. THERE ARE BUGS

  33. TOOLING COULD BE BETTER

  34. INTEGRATION COULD BE BETTER UNVERIFIED UNSIGNED

  35. SECURITY IS HARD!!!

  36. SECURITY IS HARD!!! What if someone breaks into your laptop?

    What if you don't notice a malicious change? What if someone hacks github? How do you expire an old key? What if a trusted employee goes rogue? What if someone compromises your CI? What if someone has a quantum computer?
  37. TRUSTING THE COMMITTER == TRUSTING THE CODE?

  38. CONCLUSIONS

  39. ADOPTION IS PRETTY LOW

  40. BUT ITS QUITE EASY

  41. ITS VALUE DEPENDS ON YOUR BUSINESS

  42. WHY NOT TRY?

  43. THANKS